SlideShare une entreprise Scribd logo

CIS13: Taking the Hyperspace Bypass: Controlling User Access to Other Worlds

CloudIDSummit
CloudIDSummit

Dale Olds, Senior Staff Engineer, VMware If identity is the new perimeter, then users must be able to access applications anywhere: on premise, in the cloud or on partner sites. To enable this access we must take identity information into other worlds, and there is no Babel Fish. This session will explain how to enable access to distributed applications without making users feel like Marvin the Paranoid Android. We will cover topics like federated authentication, browser single sign-on and delegated authorization for cloud APIs. Standards in this area are essential, but SAML, OAuth2, SCIM and OpenID can sound like Vogon poetry. We'll touch on the standards, but keep the Vogon poetry to a minimum.

Technologie
1  sur  32
Télécharger pour lire hors ligne
© 2010 VMware Inc. All rights reserved The Hitchhiker's Guide To Identity Taking the Hyperspace Bypass: Controlling User Access to Other Worlds Dale Olds, Sr. Staff Engineer, VMware Horizon Workspace Cloud Identity Summit, July 2013
Agenda l Crossing boundaries with identity information l Single sign-on and federated authentication l Provisioning user information across borders l Delegated authorization for distributed applications l Standards and Vogon poetry
Crossing Boundaries with Identity Information
The limits of embedded accounts and shared directory services It's a people problem l One account per application is killing us all – too many damn passwords l Initially easier for developers, but ultimately impossible for users as applications proliferate l Username and password is easy, change is hard. It's a management problem l Management domains (organizations) have different needs and control l Multiple apps can share a directory service such as Active Directory, but generally only within a management domain l The larger the management domain to more political and difficult to change – schema becomes concrete The solution is to enable the controlled transfer of identity information across management domains.
Think Facebook Connect. In the last few years Facebook may have accomplished more to promote the common understanding of federated identity than all the major enterprise vendors have in the last 20. Users now think of accounts as independent from applications. I have an account at Facebook. I can use it at other places.
Single Sign-on and Federated Authentication
Federated authentication Authentication is the act of confirming the truth of an attribute of a datum or entity... often involves verifying the validity of at least one form of identification. (wikipedia) Let's try that again. For our purposes: Authentication is the act of determining who is making a request. For apps with embedded user accounts, often called login. Using Federated Authentication, an app trusts an identity provider to authenticate the user. The app gets the user's identity information from the provider, but is not involved in the act of authentication. The identity provider may be in another management domain. This is not like multiple apps sharing a directory service, where the apps authenticate users independently using common data. SAML and OpenID Connect are protocols for federated authentication
Browser redirects New Documents Site Old Documents Site browser 1. Get me the Burning Man Survival Guide. 2. Document has moved, here is the new name and location. 3. Get me the new document. The vast majority of all federated authentication systems, including all versions of SAML, OpenID, and OAuth use browser redirects to separate the act of authentication from an app.
Federated authentication – solved for web applications sparklr photo sharing appfacespace identity provider (idp) browser printr photo printing app editr photo editing app 1. Joe starts at sparklr but he's not logged in, gets redirected to idp.2. Joe logs in with method known only to idp. Idp saves session with Joe, redirects back to sparklr with signed token that this is Joe. 3. Sparklr trusts token from idp, sets up session with Joe and grants access. 4. When joe accesses printr or editr, they redirect him to the idp – which already has a session with Joe so he is immediately redirected back with a token. Single Sign-on!
Advantages of federated authentication l Since an identity provider can authenticate users for many apps, there should be fewer (but more secure) authentication sources. l Identity providers can add better authentication methods with no change to connected applications l Major identity providers are already adding multifactor, continuous authentication – trending toward recognition. l Incentives are to let a few identity providers handle authentication, and web applications focus on features. l Consider the Gawker and LivingSocial crack. . If you connect to LivingSocial using Facebook Connect, your Facebook credentials were not compromised. Tim O’Shaughnessy, CEO of LivingSocial
Federated authentication – solved for web applications? Unfortunately solutions are a primary cause of problems (and there are some problems with this solution)
Federated authentication for web apps: downsides fake idp facespace identity provider (idp) browser printr photo printing app editr photo editing app Privacy concerns: the idp knows every site that joe accesses with this account. Other systems have been proposed, but involve significant changes and trust of the user's machine (see information cards, browserID). Phishing concerns: if sparklr is evil it could redirect to fake idp, which reads the real idps ui, presents it to the user and steals their credentials The problem with logout: what does it actually mean? Users are confused... if I logout of the app, I'm still logged in at the idp which gives me SSO with the app? If I log out of the idp, what should that mean for the apps? sparklr evil photo sharing app What about non-browser apps? I've heard that mobile apps may be important.
Federated authentication – the future SAML, OpenID Connect (with OAuth2) useful now for many use cases. We've made great progress, but there are many unresolved issues. Technological evolution and cultural change must continue. Work on OpenID Connect extensions for federated authentication for mobile applications is underway (see the AZA workshop). Advances in continuous authentication and recognition make authentication more convenient and more secure. Preventing phishing will be a longer, multi-component issue. Help from browsers is important and users may need to learn new expectations when interacting with sites.
Provisioning User Information across Borders
Provisioning Old fashioned provisioning: just get the sysadmins to copy the identity information across boundaries! Common questions: l If we have effective provisioning, do we need federated authentication? l If we have federated authentication, do we need provisioning? Classic, push, apriori, static provisioning l pros: forward references, less change, supports deprovisioning l cons: proliferates copies of identity information, hard to update, authentication issues Just in time (JIT) provisioning l pros: only create accounts when needed, no provisioning protocol or APIs needed (side effect of authentication). l cons: no forward references, no deprovisioning Provisioning standards: LDAP, SPML, SCIM
Delegated Authorization for Distributed Applications
Federated authentication: protecting the front door Federated authentication controls how users gain access to an app. This is like controlling who can come into the front door of a store.
But the loading dock is open... Modern apps aggregate information from other services, we need to control access to those services are well. Who's protecting the loading dock?
A modern web or cloud app uses external services sparklr photo sharing app facespace identity provider (idp) browser photo printing service map data service Joe needs to delegate authorization such that sparklr can access the services on his behalf. Enter OAuth2 photo storage service distributed app
But first, let's talk about what happens when selling a car
Illustration: selling a car Bank Sam Joe, used car broker Me, selling a rusty 2000 nissan pathfinder 1. Sam tells Joe he'll take the pathfinder. Joe replies that he'll need a cashiers check for the purchase price. 2. Sam authenticates and gets a cashier's check. 3. Sam gives the check (signed by the bank) to joe. 4. Joe gives the check to me in exchange for the car. I don't really care who Joe and Sam are, the check authorizes the transaction and it's guaranteed by the bank.
l issuing bank l check number l account and name l authorized amount l issued at date l expiration date l recipient l authorized signature Contents of a cashier's check
authorization server (bank) resource owner (user) client application (joe broker) resource server (me with pathfinder) 1. user accesses application but is not authorized. Application redirects user to the authorization server with instructions of what authorization to request. 2. user authenticates and approves release of token containing proof of authorization. 3. user is redirected back to the client app which gets the token. 4. client app presents token to resource server to authorize access to the resource. Same transaction in OAuth2 terms
l JWT is an IETF specification (pronounced 'jot') l Three parts: header, content, signature l While commonly used with OAuth2, OAuth2 does not require JWTs. l OpenID Connect does require JWTs for id_token Sample token content, with corresponding cashier's check fields: jwt meaning cashier's check JSON web token (JWT) – a check format for the web * commonly used, but not specified in JWT or Openid connect iss issuer issuing bank jti token ID check number sub subject account & name iat issued at issued at date exp expiration expiration date aud audience recipient azp OIDC authorized party *scope authorization authorized amount signatur e third part of the token authorized signature
authorization server resource owner via user agent (browser) client application resource server 1. user accesses application but is not authorized. application redirects user to the authorization server to request authorization. 2. user authenticates and approves release of token containing proof of authorization. 3. user is redirected back to the client app with an access token in location fragment 4. client app presents access token to resource server to authorize access. client app can use access token until it expires. l access token is exposed to user's agent. l access token lifetime is longest interval user cannot revoke access. l client id, redirect urls must be registered – no secret l generally a less secure and less convenient grant – avoid if possible Implicit grant
authorization server resource owner via user agent (browser) client application resource server 1. user accesses application but is not authorized. application redirects user to the authorization server to request authorization. 2. user authenticates and approves release of token containing proof of authorization. 3. user is redirected back to the client app with an authorization code. 5. client app presents access token to resource server to authorize access. client app can use refresh token to request new access token on expiration. 4. client redeems authorization code for access and refresh tokens. l access and refresh tokens aren't exposed to user's agent. l access token lifetime is longest interval user cannot revoke access. l refresh token lifetime is interval before user has to re-authenticate. l client id, secret, redirect urls must be registered Authorization code and refresh token grants
authorization server resource owner via native app resource server 1. user accesses cloud controller but is not authorized. application gets username and password 2. app posts user credentials to authenticate user and autoapprove release of token containing proof of authorization, requests password grant. 3. returns to the app with an access token and a refresh token 4. app presents access token to resource server to authorize access. app can use access token until it expires, but can get a new access token with the refresh token l access and refresh tokens are exposed to the user's machine. l access token lifetime is longest interval user cannot revoke access. l limited to user name and password. Resource owner password grant from native app
authorization server client application resource server 2. client app presents access token to resource server to authorize access. 1. client authenticates and gets an access token with all its registered authorizations. l access token cannot be revoked for it's lifetime. l client id, secret must be registered Client credentials grant
Standards and Vogon poetry
Standards landscape: federated authentication While Craig's statement was entertaining, my team respectfully disagrees. We continue to implement SAML because our business is to support valid customer use cases. For us, SAML isn't dead, it's done. It's complete. We can safely implement it. OpenID Connect is very promising. It's not dead, but it's not done. l OpenID Connect has been baking for over 3 years l It is implementable, useful now and fairly stable. l Combines very well with OAuth2 (delegated authorization) and SCIM (provisioning) for a mostly complete identity system. “There is no future for SAML. No one is putting money into SAML development. NO ONE is writing new SAML code. SAML is dead.” Craig Burton, CIS 2012
Standards landscape: provisioning and delegated authorization Provisioning l My bet is on the Simple Cloud Identity Management (SCIM 1.1) protocol produced by a group of interested individuals. l And my bet is on the IETF's System for Cross-domain Identity Management (SCIM 2.0) protocol. l SCIM 1.1 is implementable, stable, and combines well with OAuth2 l SCIM 2.0 is the first IETF spec and has been in development for just over a year. Delegated Authorization l OAuth2 rules and is becoming a family of specifications. l Personally, I like to use it with JWT – which is also becoming a family of specifications.
Questions?

Recommandé

Re-using existing PKIs for online Identity Management
Re-using existing PKIs for online Identity ManagementRe-using existing PKIs for online Identity Management
Re-using existing PKIs for online Identity ManagementMartijn Oostdijk
 
Authentication through Claims-Based Authentication
Authentication through Claims-Based AuthenticationAuthentication through Claims-Based Authentication
Authentication through Claims-Based Authenticationijtsrd
 
Android FakeID Vulnerability
Android FakeID VulnerabilityAndroid FakeID Vulnerability
Android FakeID VulnerabilityMark Laubender
 
Claims based identity for windows
Claims based identity for windowsClaims based identity for windows
Claims based identity for windowsPradeep Krishnamurthy
 
Patterns and Antipatterns in Enterprise Security
Patterns and Antipatterns in Enterprise SecurityPatterns and Antipatterns in Enterprise Security
Patterns and Antipatterns in Enterprise SecurityWSO2
 
76 s201923
76 s20192376 s201923
76 s201923IJRAT
 
Securing corporate assets_with_2_fa
Securing corporate assets_with_2_faSecuring corporate assets_with_2_fa
Securing corporate assets_with_2_faHai Nguyen
 
Digital Locker Dedicated Repository Api Specification v1 4
Digital Locker Dedicated Repository Api Specification v1 4Digital Locker Dedicated Repository Api Specification v1 4
Digital Locker Dedicated Repository Api Specification v1 4DigiLocker
 

Recommandé

Re-using existing PKIs for online Identity Management
Re-using existing PKIs for online Identity ManagementRe-using existing PKIs for online Identity Management
Re-using existing PKIs for online Identity ManagementMartijn Oostdijk
 
Authentication through Claims-Based Authentication
Authentication through Claims-Based AuthenticationAuthentication through Claims-Based Authentication
Authentication through Claims-Based Authenticationijtsrd
 
Android FakeID Vulnerability
Android FakeID VulnerabilityAndroid FakeID Vulnerability
Android FakeID VulnerabilityMark Laubender
 
Claims based identity for windows
Claims based identity for windowsClaims based identity for windows
Claims based identity for windowsPradeep Krishnamurthy
 
Patterns and Antipatterns in Enterprise Security
Patterns and Antipatterns in Enterprise SecurityPatterns and Antipatterns in Enterprise Security
Patterns and Antipatterns in Enterprise SecurityWSO2
 
76 s201923
76 s20192376 s201923
76 s201923IJRAT
 
Securing corporate assets_with_2_fa
Securing corporate assets_with_2_faSecuring corporate assets_with_2_fa
Securing corporate assets_with_2_faHai Nguyen
 
Digital Locker Dedicated Repository Api Specification v1 4
Digital Locker Dedicated Repository Api Specification v1 4Digital Locker Dedicated Repository Api Specification v1 4
Digital Locker Dedicated Repository Api Specification v1 4DigiLocker
 
Authentication and Authorization Models
Authentication and Authorization ModelsAuthentication and Authorization Models
Authentication and Authorization ModelsCSCJournals
 
Sp 29 two_factor_auth_guide
Sp 29 two_factor_auth_guideSp 29 two_factor_auth_guide
Sp 29 two_factor_auth_guideHai Nguyen
 
Session 7 e_raja_kailar
Session 7 e_raja_kailarSession 7 e_raja_kailar
Session 7 e_raja_kailarHai Nguyen
 
App Authentication
App AuthenticationApp Authentication
App AuthenticationTrevayne Van Niekerk
 
Sms based otp
Sms based otpSms based otp
Sms based otpHai Nguyen
 
IRJET- Survey on Virtual Assistants
IRJET- Survey on Virtual AssistantsIRJET- Survey on Virtual Assistants
IRJET- Survey on Virtual AssistantsIRJET Journal
 
International Journal of Engineering Inventions (IJEI)
International Journal of Engineering Inventions (IJEI)International Journal of Engineering Inventions (IJEI)
International Journal of Engineering Inventions (IJEI)International Journal of Engineering Inventions www.ijeijournal.com
 
Authentication Models
Authentication ModelsAuthentication Models
Authentication ModelsRaj Chanchal
 
Silicon Valley Code Camp 2009: OAuth: What, Why and How
Silicon Valley Code Camp 2009: OAuth: What, Why and HowSilicon Valley Code Camp 2009: OAuth: What, Why and How
Silicon Valley Code Camp 2009: OAuth: What, Why and HowManish Pandit
 
I1804015458
I1804015458I1804015458
I1804015458IOSR Journals
 
IRJET-An Economical and Secured Approach for Continuous and Transparent User ...
IRJET-An Economical and Secured Approach for Continuous and Transparent User ...IRJET-An Economical and Secured Approach for Continuous and Transparent User ...
IRJET-An Economical and Secured Approach for Continuous and Transparent User ...IRJET Journal
 
A BASTION MOBILEID-BASED AUTHENTICATION TECHNIQUE (BMBAT)
A BASTION MOBILEID-BASED AUTHENTICATION TECHNIQUE (BMBAT)A BASTION MOBILEID-BASED AUTHENTICATION TECHNIQUE (BMBAT)
A BASTION MOBILEID-BASED AUTHENTICATION TECHNIQUE (BMBAT)IJNSA Journal
 
New Paradigms of Digital Identity: Authentication & Authorization as a Servic...
New Paradigms of Digital Identity: Authentication & Authorization as a Servic...New Paradigms of Digital Identity: Authentication & Authorization as a Servic...
New Paradigms of Digital Identity: Authentication & Authorization as a Servic...Chema Alonso
 
Securing Microservices in Hybrid Cloud
Securing Microservices in Hybrid CloudSecuring Microservices in Hybrid Cloud
Securing Microservices in Hybrid CloudVMware Tanzu
 
Protecting Online Identities
Protecting Online IdentitiesProtecting Online Identities
Protecting Online Identitiesgoodfriday
 
Higgins
HigginsHiggins
HigginsMarkus Sabadello
 
CIS14: Mobilize Your Workforce with Secure Identity Services
CIS14: Mobilize Your Workforce with Secure Identity ServicesCIS14: Mobilize Your Workforce with Secure Identity Services
CIS14: Mobilize Your Workforce with Secure Identity ServicesCloudIDSummit
 
CIS13: Federation Protocol Cross-Section
CIS13: Federation Protocol Cross-SectionCIS13: Federation Protocol Cross-Section
CIS13: Federation Protocol Cross-SectionCloudIDSummit
 
CIS13: Identity is the New Currency
CIS13: Identity is the New CurrencyCIS13: Identity is the New Currency
CIS13: Identity is the New CurrencyCloudIDSummit
 
CIS13: Bringing the User Back into User-Centric Identity
CIS13: Bringing the User Back into User-Centric IdentityCIS13: Bringing the User Back into User-Centric Identity
CIS13: Bringing the User Back into User-Centric IdentityCloudIDSummit
 
CIS13: The Power of the Cloud and Transformation in the Enterprise
CIS13: The Power of the Cloud and Transformation in the EnterpriseCIS13: The Power of the Cloud and Transformation in the Enterprise
CIS13: The Power of the Cloud and Transformation in the EnterpriseCloudIDSummit
 
Open stand overview_072014
Open stand overview_072014Open stand overview_072014
Open stand overview_072014CloudIDSummit
 

Contenu connexe

Tendances

Authentication and Authorization Models
Authentication and Authorization ModelsAuthentication and Authorization Models
Authentication and Authorization ModelsCSCJournals
 
Sp 29 two_factor_auth_guide
Sp 29 two_factor_auth_guideSp 29 two_factor_auth_guide
Sp 29 two_factor_auth_guideHai Nguyen
 
Session 7 e_raja_kailar
Session 7 e_raja_kailarSession 7 e_raja_kailar
Session 7 e_raja_kailarHai Nguyen
 
IRJET- Survey on Virtual Assistants
IRJET- Survey on Virtual AssistantsIRJET- Survey on Virtual Assistants
IRJET- Survey on Virtual AssistantsIRJET Journal
 
Authentication Models
Authentication ModelsAuthentication Models
Authentication ModelsRaj Chanchal
 
Silicon Valley Code Camp 2009: OAuth: What, Why and How
Silicon Valley Code Camp 2009: OAuth: What, Why and HowSilicon Valley Code Camp 2009: OAuth: What, Why and How
Silicon Valley Code Camp 2009: OAuth: What, Why and HowManish Pandit
 
IRJET-An Economical and Secured Approach for Continuous and Transparent User ...
IRJET-An Economical and Secured Approach for Continuous and Transparent User ...IRJET-An Economical and Secured Approach for Continuous and Transparent User ...
IRJET-An Economical and Secured Approach for Continuous and Transparent User ...IRJET Journal
 
A BASTION MOBILEID-BASED AUTHENTICATION TECHNIQUE (BMBAT)
A BASTION MOBILEID-BASED AUTHENTICATION TECHNIQUE (BMBAT)A BASTION MOBILEID-BASED AUTHENTICATION TECHNIQUE (BMBAT)
A BASTION MOBILEID-BASED AUTHENTICATION TECHNIQUE (BMBAT)IJNSA Journal
 
New Paradigms of Digital Identity: Authentication & Authorization as a Servic...
New Paradigms of Digital Identity: Authentication & Authorization as a Servic...New Paradigms of Digital Identity: Authentication & Authorization as a Servic...
New Paradigms of Digital Identity: Authentication & Authorization as a Servic...Chema Alonso
 
Securing Microservices in Hybrid Cloud
Securing Microservices in Hybrid CloudSecuring Microservices in Hybrid Cloud
Securing Microservices in Hybrid CloudVMware Tanzu
 
Protecting Online Identities
Protecting Online IdentitiesProtecting Online Identities
Protecting Online Identitiesgoodfriday
 

Tendances (16)

Authentication and Authorization Models
Authentication and Authorization ModelsAuthentication and Authorization Models
Authentication and Authorization Models
 
Sp 29 two_factor_auth_guide
Sp 29 two_factor_auth_guideSp 29 two_factor_auth_guide
Sp 29 two_factor_auth_guide
 
Session 7 e_raja_kailar
Session 7 e_raja_kailarSession 7 e_raja_kailar
Session 7 e_raja_kailar
 
App Authentication
App AuthenticationApp Authentication
App Authentication
 
Sms based otp
Sms based otpSms based otp
Sms based otp
 
IRJET- Survey on Virtual Assistants
IRJET- Survey on Virtual AssistantsIRJET- Survey on Virtual Assistants
IRJET- Survey on Virtual Assistants
 
International Journal of Engineering Inventions (IJEI)
International Journal of Engineering Inventions (IJEI)International Journal of Engineering Inventions (IJEI)
International Journal of Engineering Inventions (IJEI)
 
Authentication Models
Authentication ModelsAuthentication Models
Authentication Models
 
Silicon Valley Code Camp 2009: OAuth: What, Why and How
Silicon Valley Code Camp 2009: OAuth: What, Why and HowSilicon Valley Code Camp 2009: OAuth: What, Why and How
Silicon Valley Code Camp 2009: OAuth: What, Why and How
 
I1804015458
I1804015458I1804015458
I1804015458
 
IRJET-An Economical and Secured Approach for Continuous and Transparent User ...
IRJET-An Economical and Secured Approach for Continuous and Transparent User ...IRJET-An Economical and Secured Approach for Continuous and Transparent User ...
IRJET-An Economical and Secured Approach for Continuous and Transparent User ...
 
A BASTION MOBILEID-BASED AUTHENTICATION TECHNIQUE (BMBAT)
A BASTION MOBILEID-BASED AUTHENTICATION TECHNIQUE (BMBAT)A BASTION MOBILEID-BASED AUTHENTICATION TECHNIQUE (BMBAT)
A BASTION MOBILEID-BASED AUTHENTICATION TECHNIQUE (BMBAT)
 
New Paradigms of Digital Identity: Authentication & Authorization as a Servic...
New Paradigms of Digital Identity: Authentication & Authorization as a Servic...New Paradigms of Digital Identity: Authentication & Authorization as a Servic...
New Paradigms of Digital Identity: Authentication & Authorization as a Servic...
 
Securing Microservices in Hybrid Cloud
Securing Microservices in Hybrid CloudSecuring Microservices in Hybrid Cloud
Securing Microservices in Hybrid Cloud
 
Protecting Online Identities
Protecting Online IdentitiesProtecting Online Identities
Protecting Online Identities
 
Higgins
HigginsHiggins
Higgins
 

En vedette

CIS14: Mobilize Your Workforce with Secure Identity Services
CIS14: Mobilize Your Workforce with Secure Identity ServicesCIS14: Mobilize Your Workforce with Secure Identity Services
CIS14: Mobilize Your Workforce with Secure Identity ServicesCloudIDSummit
 
CIS13: Federation Protocol Cross-Section
CIS13: Federation Protocol Cross-SectionCIS13: Federation Protocol Cross-Section
CIS13: Federation Protocol Cross-SectionCloudIDSummit
 
CIS13: Identity is the New Currency
CIS13: Identity is the New CurrencyCIS13: Identity is the New Currency
CIS13: Identity is the New CurrencyCloudIDSummit
 
CIS13: Bringing the User Back into User-Centric Identity
CIS13: Bringing the User Back into User-Centric IdentityCIS13: Bringing the User Back into User-Centric Identity
CIS13: Bringing the User Back into User-Centric IdentityCloudIDSummit
 
CIS13: The Power of the Cloud and Transformation in the Enterprise
CIS13: The Power of the Cloud and Transformation in the EnterpriseCIS13: The Power of the Cloud and Transformation in the Enterprise
CIS13: The Power of the Cloud and Transformation in the EnterpriseCloudIDSummit
 
Open stand overview_072014
Open stand overview_072014Open stand overview_072014
Open stand overview_072014CloudIDSummit
 
CIS13: Cloud, Identity Bridges, and ITSM: Three is Not a Crowd
CIS13: Cloud, Identity Bridges, and ITSM: Three is Not a CrowdCIS13: Cloud, Identity Bridges, and ITSM: Three is Not a Crowd
CIS13: Cloud, Identity Bridges, and ITSM: Three is Not a CrowdCloudIDSummit
 
CIS14: Implementing MITREid
CIS14: Implementing MITREidCIS14: Implementing MITREid
CIS14: Implementing MITREidCloudIDSummit
 
CIS13: FCCX and IDESG: An Industry Perspectives
CIS13: FCCX and IDESG: An Industry PerspectivesCIS13: FCCX and IDESG: An Industry Perspectives
CIS13: FCCX and IDESG: An Industry PerspectivesCloudIDSummit
 
CIS14: Creating a Federated Identity Service for Better SSO
CIS14: Creating a Federated Identity Service for Better SSOCIS14: Creating a Federated Identity Service for Better SSO
CIS14: Creating a Federated Identity Service for Better SSOCloudIDSummit
 
CIS13: NSTIC Update and Reports from Pilots
CIS13: NSTIC Update and Reports from PilotsCIS13: NSTIC Update and Reports from Pilots
CIS13: NSTIC Update and Reports from PilotsCloudIDSummit
 
CIS14: Network-Aware IAM
CIS14: Network-Aware IAMCIS14: Network-Aware IAM
CIS14: Network-Aware IAMCloudIDSummit
 
CIS14: How I Came to Share Signals and Learned to Love my Identity System
CIS14: How I Came to Share Signals and Learned to Love my Identity SystemCIS14: How I Came to Share Signals and Learned to Love my Identity System
CIS14: How I Came to Share Signals and Learned to Love my Identity SystemCloudIDSummit
 
CIS13: Deploying an Identity Provider in a Complex, Federated and Siloed World
CIS13: Deploying an Identity Provider in a Complex, Federated and Siloed WorldCIS13: Deploying an Identity Provider in a Complex, Federated and Siloed World
CIS13: Deploying an Identity Provider in a Complex, Federated and Siloed WorldCloudIDSummit
 
CIS13: So, You Want to Be a Relying Party: Federated Login with Google Identi...
CIS13: So, You Want to Be a Relying Party: Federated Login with Google Identi...CIS13: So, You Want to Be a Relying Party: Federated Login with Google Identi...
CIS13: So, You Want to Be a Relying Party: Federated Login with Google Identi...CloudIDSummit
 
CIS14: NSTIC: AARP and Trusted Identity: Empowering Members for the Digital Age
CIS14: NSTIC: AARP and Trusted Identity: Empowering Members for the Digital AgeCIS14: NSTIC: AARP and Trusted Identity: Empowering Members for the Digital Age
CIS14: NSTIC: AARP and Trusted Identity: Empowering Members for the Digital AgeCloudIDSummit
 
CIS13: Identity as a Matter of Public Safety: A Case Study in Secure API Acce...
CIS13: Identity as a Matter of Public Safety: A Case Study in Secure API Acce...CIS13: Identity as a Matter of Public Safety: A Case Study in Secure API Acce...
CIS13: Identity as a Matter of Public Safety: A Case Study in Secure API Acce...CloudIDSummit
 
CIS13: Bootcamp: Ping Identity OAuth and OpenID Connect In Action with PingFe...
CIS13: Bootcamp: Ping Identity OAuth and OpenID Connect In Action with PingFe...CIS13: Bootcamp: Ping Identity OAuth and OpenID Connect In Action with PingFe...
CIS13: Bootcamp: Ping Identity OAuth and OpenID Connect In Action with PingFe...CloudIDSummit
 
CIS14: An Overview of FIDO’s Universal 2nd Factor (U2F) Specification
CIS14: An Overview of FIDO’s Universal 2nd Factor (U2F) SpecificationCIS14: An Overview of FIDO’s Universal 2nd Factor (U2F) Specification
CIS14: An Overview of FIDO’s Universal 2nd Factor (U2F) SpecificationCloudIDSummit
 

En vedette (19)

CIS14: Mobilize Your Workforce with Secure Identity Services
CIS14: Mobilize Your Workforce with Secure Identity ServicesCIS14: Mobilize Your Workforce with Secure Identity Services
CIS14: Mobilize Your Workforce with Secure Identity Services
 
CIS13: Federation Protocol Cross-Section
CIS13: Federation Protocol Cross-SectionCIS13: Federation Protocol Cross-Section
CIS13: Federation Protocol Cross-Section
 
CIS13: Identity is the New Currency
CIS13: Identity is the New CurrencyCIS13: Identity is the New Currency
CIS13: Identity is the New Currency
 
CIS13: Bringing the User Back into User-Centric Identity
CIS13: Bringing the User Back into User-Centric IdentityCIS13: Bringing the User Back into User-Centric Identity
CIS13: Bringing the User Back into User-Centric Identity
 
CIS13: The Power of the Cloud and Transformation in the Enterprise
CIS13: The Power of the Cloud and Transformation in the EnterpriseCIS13: The Power of the Cloud and Transformation in the Enterprise
CIS13: The Power of the Cloud and Transformation in the Enterprise
 
Open stand overview_072014
Open stand overview_072014Open stand overview_072014
Open stand overview_072014
 
CIS13: Cloud, Identity Bridges, and ITSM: Three is Not a Crowd
CIS13: Cloud, Identity Bridges, and ITSM: Three is Not a CrowdCIS13: Cloud, Identity Bridges, and ITSM: Three is Not a Crowd
CIS13: Cloud, Identity Bridges, and ITSM: Three is Not a Crowd
 
CIS14: Implementing MITREid
CIS14: Implementing MITREidCIS14: Implementing MITREid
CIS14: Implementing MITREid
 
CIS13: FCCX and IDESG: An Industry Perspectives
CIS13: FCCX and IDESG: An Industry PerspectivesCIS13: FCCX and IDESG: An Industry Perspectives
CIS13: FCCX and IDESG: An Industry Perspectives
 
CIS14: Creating a Federated Identity Service for Better SSO
CIS14: Creating a Federated Identity Service for Better SSOCIS14: Creating a Federated Identity Service for Better SSO
CIS14: Creating a Federated Identity Service for Better SSO
 
CIS13: NSTIC Update and Reports from Pilots
CIS13: NSTIC Update and Reports from PilotsCIS13: NSTIC Update and Reports from Pilots
CIS13: NSTIC Update and Reports from Pilots
 
CIS14: Network-Aware IAM
CIS14: Network-Aware IAMCIS14: Network-Aware IAM
CIS14: Network-Aware IAM
 
CIS14: How I Came to Share Signals and Learned to Love my Identity System
CIS14: How I Came to Share Signals and Learned to Love my Identity SystemCIS14: How I Came to Share Signals and Learned to Love my Identity System
CIS14: How I Came to Share Signals and Learned to Love my Identity System
 
CIS13: Deploying an Identity Provider in a Complex, Federated and Siloed World
CIS13: Deploying an Identity Provider in a Complex, Federated and Siloed WorldCIS13: Deploying an Identity Provider in a Complex, Federated and Siloed World
CIS13: Deploying an Identity Provider in a Complex, Federated and Siloed World
 
CIS13: So, You Want to Be a Relying Party: Federated Login with Google Identi...
CIS13: So, You Want to Be a Relying Party: Federated Login with Google Identi...CIS13: So, You Want to Be a Relying Party: Federated Login with Google Identi...
CIS13: So, You Want to Be a Relying Party: Federated Login with Google Identi...
 
CIS14: NSTIC: AARP and Trusted Identity: Empowering Members for the Digital Age
CIS14: NSTIC: AARP and Trusted Identity: Empowering Members for the Digital AgeCIS14: NSTIC: AARP and Trusted Identity: Empowering Members for the Digital Age
CIS14: NSTIC: AARP and Trusted Identity: Empowering Members for the Digital Age
 
CIS13: Identity as a Matter of Public Safety: A Case Study in Secure API Acce...
CIS13: Identity as a Matter of Public Safety: A Case Study in Secure API Acce...CIS13: Identity as a Matter of Public Safety: A Case Study in Secure API Acce...
CIS13: Identity as a Matter of Public Safety: A Case Study in Secure API Acce...
 
CIS13: Bootcamp: Ping Identity OAuth and OpenID Connect In Action with PingFe...
CIS13: Bootcamp: Ping Identity OAuth and OpenID Connect In Action with PingFe...CIS13: Bootcamp: Ping Identity OAuth and OpenID Connect In Action with PingFe...
CIS13: Bootcamp: Ping Identity OAuth and OpenID Connect In Action with PingFe...
 
CIS14: An Overview of FIDO’s Universal 2nd Factor (U2F) Specification
CIS14: An Overview of FIDO’s Universal 2nd Factor (U2F) SpecificationCIS14: An Overview of FIDO’s Universal 2nd Factor (U2F) Specification
CIS14: An Overview of FIDO’s Universal 2nd Factor (U2F) Specification
 

Similaire à CIS13: Taking the Hyperspace Bypass: Controlling User Access to Other Worlds

Claim based authentaication
Claim based authentaicationClaim based authentaication
Claim based authentaicationSean Xiong
 
Add End User Sign-in, User Management, and Security to Your Mobile and Web Ap...
Add End User Sign-in, User Management, and Security to Your Mobile and Web Ap...Add End User Sign-in, User Management, and Security to Your Mobile and Web Ap...
Add End User Sign-in, User Management, and Security to Your Mobile and Web Ap...Amazon Web Services
 
1 PageConference Android ApplicationSoftware Reengineering P.docx
1 PageConference Android ApplicationSoftware Reengineering P.docx1 PageConference Android ApplicationSoftware Reengineering P.docx
1 PageConference Android ApplicationSoftware Reengineering P.docxmercysuttle
 
21 PageConference Android ApplicationSoftware Reengineering .docx
21 PageConference Android ApplicationSoftware Reengineering .docx21 PageConference Android ApplicationSoftware Reengineering .docx
21 PageConference Android ApplicationSoftware Reengineering .docxeugeniadean34240
 
ANDROID APPLICATION FOR PASSWORDLESS LOGIN FOR WEB APPLICATIONS
ANDROID APPLICATION FOR PASSWORDLESS LOGIN FOR WEB APPLICATIONSANDROID APPLICATION FOR PASSWORDLESS LOGIN FOR WEB APPLICATIONS
ANDROID APPLICATION FOR PASSWORDLESS LOGIN FOR WEB APPLICATIONSJournal For Research
 
Federation Evolved: How Cloud, Mobile & APIs Change the Way We Broker Identity
Federation Evolved: How Cloud, Mobile & APIs Change the Way We Broker IdentityFederation Evolved: How Cloud, Mobile & APIs Change the Way We Broker Identity
Federation Evolved: How Cloud, Mobile & APIs Change the Way We Broker IdentityCA API Management
 
Review on OpenID Authentication Framework
Review on OpenID Authentication FrameworkReview on OpenID Authentication Framework
Review on OpenID Authentication Frameworkijsrd.com
 
Access Management for Cloud and Mobile
Access Management for Cloud and MobileAccess Management for Cloud and Mobile
Access Management for Cloud and MobileForgeRock
 
Kerberos-PKI-Federated identity
Kerberos-PKI-Federated identityKerberos-PKI-Federated identity
Kerberos-PKI-Federated identityWAFAA AL SALMAN
 
SSO IN/With Drupal and Identitiy Management
SSO IN/With Drupal and Identitiy ManagementSSO IN/With Drupal and Identitiy Management
SSO IN/With Drupal and Identitiy ManagementManish Harsh
 
Identity Federation on JBossAS
Identity Federation on JBossASIdentity Federation on JBossAS
Identity Federation on JBossASRoger CARHUATOCTO
 
Blockchain-Anchored Identity -- Daniel Buchner, Microsoft
Blockchain-Anchored Identity -- Daniel Buchner, MicrosoftBlockchain-Anchored Identity -- Daniel Buchner, Microsoft
Blockchain-Anchored Identity -- Daniel Buchner, Microsoftbernardgolden
 
Enterprise Security Requirements
Enterprise Security RequirementsEnterprise Security Requirements
Enterprise Security RequirementsWSO2
 
RSA Europe: Future of Cloud Identity
RSA Europe: Future of Cloud IdentityRSA Europe: Future of Cloud Identity
RSA Europe: Future of Cloud IdentityMike Schwartz
 
OAuth with Salesforce - Demystified
OAuth with Salesforce - DemystifiedOAuth with Salesforce - Demystified
OAuth with Salesforce - DemystifiedCalvin Noronha
 
Universal login
Universal loginUniversal login
Universal loginZx MYS
 
Credit Cooperative Society Software
Credit Cooperative Society SoftwareCredit Cooperative Society Software
Credit Cooperative Society SoftwareAccrete Technology
 
TrustBearer - Virginia Security Summit - Web Authentication Strategies - Apri...
TrustBearer - Virginia Security Summit - Web Authentication Strategies - Apri...TrustBearer - Virginia Security Summit - Web Authentication Strategies - Apri...
TrustBearer - Virginia Security Summit - Web Authentication Strategies - Apri...TrustBearer
 
OAuth 2.0 and Mobile Devices: Is that a token in your phone in your pocket or...
OAuth 2.0 and Mobile Devices: Is that a token in your phone in your pocket or...OAuth 2.0 and Mobile Devices: Is that a token in your phone in your pocket or...
OAuth 2.0 and Mobile Devices: Is that a token in your phone in your pocket or...Brian Campbell
 

Similaire à CIS13: Taking the Hyperspace Bypass: Controlling User Access to Other Worlds (20)

Claim based authentaication
Claim based authentaicationClaim based authentaication
Claim based authentaication
 
Add End User Sign-in, User Management, and Security to Your Mobile and Web Ap...
Add End User Sign-in, User Management, and Security to Your Mobile and Web Ap...Add End User Sign-in, User Management, and Security to Your Mobile and Web Ap...
Add End User Sign-in, User Management, and Security to Your Mobile and Web Ap...
 
1 PageConference Android ApplicationSoftware Reengineering P.docx
1 PageConference Android ApplicationSoftware Reengineering P.docx1 PageConference Android ApplicationSoftware Reengineering P.docx
1 PageConference Android ApplicationSoftware Reengineering P.docx
 
21 PageConference Android ApplicationSoftware Reengineering .docx
21 PageConference Android ApplicationSoftware Reengineering .docx21 PageConference Android ApplicationSoftware Reengineering .docx
21 PageConference Android ApplicationSoftware Reengineering .docx
 
ANDROID APPLICATION FOR PASSWORDLESS LOGIN FOR WEB APPLICATIONS
ANDROID APPLICATION FOR PASSWORDLESS LOGIN FOR WEB APPLICATIONSANDROID APPLICATION FOR PASSWORDLESS LOGIN FOR WEB APPLICATIONS
ANDROID APPLICATION FOR PASSWORDLESS LOGIN FOR WEB APPLICATIONS
 
Federation Evolved: How Cloud, Mobile & APIs Change the Way We Broker Identity
Federation Evolved: How Cloud, Mobile & APIs Change the Way We Broker IdentityFederation Evolved: How Cloud, Mobile & APIs Change the Way We Broker Identity
Federation Evolved: How Cloud, Mobile & APIs Change the Way We Broker Identity
 
Auth experience - vol 1.0
Auth experience - vol 1.0Auth experience - vol 1.0
Auth experience - vol 1.0
 
Review on OpenID Authentication Framework
Review on OpenID Authentication FrameworkReview on OpenID Authentication Framework
Review on OpenID Authentication Framework
 
Access Management for Cloud and Mobile
Access Management for Cloud and MobileAccess Management for Cloud and Mobile
Access Management for Cloud and Mobile
 
Kerberos-PKI-Federated identity
Kerberos-PKI-Federated identityKerberos-PKI-Federated identity
Kerberos-PKI-Federated identity
 
SSO IN/With Drupal and Identitiy Management
SSO IN/With Drupal and Identitiy ManagementSSO IN/With Drupal and Identitiy Management
SSO IN/With Drupal and Identitiy Management
 
Identity Federation on JBossAS
Identity Federation on JBossASIdentity Federation on JBossAS
Identity Federation on JBossAS
 
Blockchain-Anchored Identity -- Daniel Buchner, Microsoft
Blockchain-Anchored Identity -- Daniel Buchner, MicrosoftBlockchain-Anchored Identity -- Daniel Buchner, Microsoft
Blockchain-Anchored Identity -- Daniel Buchner, Microsoft
 
Enterprise Security Requirements
Enterprise Security RequirementsEnterprise Security Requirements
Enterprise Security Requirements
 
RSA Europe: Future of Cloud Identity
RSA Europe: Future of Cloud IdentityRSA Europe: Future of Cloud Identity
RSA Europe: Future of Cloud Identity
 
OAuth with Salesforce - Demystified
OAuth with Salesforce - DemystifiedOAuth with Salesforce - Demystified
OAuth with Salesforce - Demystified
 
Universal login
Universal loginUniversal login
Universal login
 
Credit Cooperative Society Software
Credit Cooperative Society SoftwareCredit Cooperative Society Software
Credit Cooperative Society Software
 
TrustBearer - Virginia Security Summit - Web Authentication Strategies - Apri...
TrustBearer - Virginia Security Summit - Web Authentication Strategies - Apri...TrustBearer - Virginia Security Summit - Web Authentication Strategies - Apri...
TrustBearer - Virginia Security Summit - Web Authentication Strategies - Apri...
 
OAuth 2.0 and Mobile Devices: Is that a token in your phone in your pocket or...
OAuth 2.0 and Mobile Devices: Is that a token in your phone in your pocket or...OAuth 2.0 and Mobile Devices: Is that a token in your phone in your pocket or...
OAuth 2.0 and Mobile Devices: Is that a token in your phone in your pocket or...
 

Plus de CloudIDSummit

CIS 2016 Content Highlights
CIS 2016 Content HighlightsCIS 2016 Content Highlights
CIS 2016 Content HighlightsCloudIDSummit
 
Top 6 Reasons You Should Attend Cloud Identity Summit 2016
Top 6 Reasons You Should Attend Cloud Identity Summit 2016Top 6 Reasons You Should Attend Cloud Identity Summit 2016
Top 6 Reasons You Should Attend Cloud Identity Summit 2016CloudIDSummit
 
CIS 2015 Security Without Borders: Taming the Cloud and Mobile Frontier - And...
CIS 2015 Security Without Borders: Taming the Cloud and Mobile Frontier - And...CIS 2015 Security Without Borders: Taming the Cloud and Mobile Frontier - And...
CIS 2015 Security Without Borders: Taming the Cloud and Mobile Frontier - And...CloudIDSummit
 
Mobile security, identity & authentication reasons for optimism 20150607 v2
Mobile security, identity & authentication reasons for optimism 20150607 v2Mobile security, identity & authentication reasons for optimism 20150607 v2
Mobile security, identity & authentication reasons for optimism 20150607 v2CloudIDSummit
 
CIS 2015 Mobile Security, Identity & Authentication: Reasons for Optimism - R...
CIS 2015 Mobile Security, Identity & Authentication: Reasons for Optimism - R...CIS 2015 Mobile Security, Identity & Authentication: Reasons for Optimism - R...
CIS 2015 Mobile Security, Identity & Authentication: Reasons for Optimism - R...CloudIDSummit
 
CIS 2015 Virtual Identity: The Vision, Challenges and Experiences in Driving ...
CIS 2015 Virtual Identity: The Vision, Challenges and Experiences in Driving ...CIS 2015 Virtual Identity: The Vision, Challenges and Experiences in Driving ...
CIS 2015 Virtual Identity: The Vision, Challenges and Experiences in Driving ...CloudIDSummit
 
CIS 2015 Deploying Strong Authentication to a Global Enterprise: A Comedy in ...
CIS 2015 Deploying Strong Authentication to a Global Enterprise: A Comedy in ...CIS 2015 Deploying Strong Authentication to a Global Enterprise: A Comedy in ...
CIS 2015 Deploying Strong Authentication to a Global Enterprise: A Comedy in ...CloudIDSummit
 
CIS 2015 Without Great Security, Digital Identity is Not Worth the Electrons ...
CIS 2015 Without Great Security, Digital Identity is Not Worth the Electrons ...CIS 2015 Without Great Security, Digital Identity is Not Worth the Electrons ...
CIS 2015 Without Great Security, Digital Identity is Not Worth the Electrons ...CloudIDSummit
 
CIS 2015 Mergers & Acquisitions in a Cloud Enabled World - Brian Puhl
CIS 2015 Mergers & Acquisitions in a Cloud Enabled World - Brian PuhlCIS 2015 Mergers & Acquisitions in a Cloud Enabled World - Brian Puhl
CIS 2015 Mergers & Acquisitions in a Cloud Enabled World - Brian PuhlCloudIDSummit
 
CIS 2015 IoT and IDM in your Mobile Enterprise - Brian Katz
CIS 2015 IoT and IDM in your Mobile Enterprise - Brian KatzCIS 2015 IoT and IDM in your Mobile Enterprise - Brian Katz
CIS 2015 IoT and IDM in your Mobile Enterprise - Brian KatzCloudIDSummit
 
CIS 2015 Practical Deployments Enterprise Cloud Access Management Platform - ...
CIS 2015 Practical Deployments Enterprise Cloud Access Management Platform - ...CIS 2015 Practical Deployments Enterprise Cloud Access Management Platform - ...
CIS 2015 Practical Deployments Enterprise Cloud Access Management Platform - ...CloudIDSummit
 
CIS 2015 What I Learned From Pitching IAM To My CIO - Steve Tout
CIS 2015 What I Learned From Pitching IAM To My CIO - Steve ToutCIS 2015 What I Learned From Pitching IAM To My CIO - Steve Tout
CIS 2015 What I Learned From Pitching IAM To My CIO - Steve ToutCloudIDSummit
 
CIS 2015 How to secure the Internet of Things? Hannes Tschofenig
CIS 2015 How to secure the Internet of Things? Hannes TschofenigCIS 2015 How to secure the Internet of Things? Hannes Tschofenig
CIS 2015 How to secure the Internet of Things? Hannes TschofenigCloudIDSummit
 
CIS 2015 The IDaaS Dating Game - Sean Deuby
CIS 2015 The IDaaS Dating Game - Sean DeubyCIS 2015 The IDaaS Dating Game - Sean Deuby
CIS 2015 The IDaaS Dating Game - Sean DeubyCloudIDSummit
 
CIS 2015 SSO for Mobile and Web Apps Ashish Jain
CIS 2015 SSO for Mobile and Web Apps Ashish JainCIS 2015 SSO for Mobile and Web Apps Ashish Jain
CIS 2015 SSO for Mobile and Web Apps Ashish JainCloudIDSummit
 
The Industrial Internet, the Identity of Everything and the Industrial Enterp...
The Industrial Internet, the Identity of Everything and the Industrial Enterp...The Industrial Internet, the Identity of Everything and the Industrial Enterp...
The Industrial Internet, the Identity of Everything and the Industrial Enterp...CloudIDSummit
 
CIS 2015 SAML-IN / SAML-OUT - Scott Tomilson & John Dasilva
CIS 2015 SAML-IN / SAML-OUT - Scott Tomilson & John DasilvaCIS 2015 SAML-IN / SAML-OUT - Scott Tomilson & John Dasilva
CIS 2015 SAML-IN / SAML-OUT - Scott Tomilson & John DasilvaCloudIDSummit
 
CIS 2015 Session Management at Scale - Scott Tomilson & Jamshid Khosravian
CIS 2015 Session Management at Scale - Scott Tomilson & Jamshid KhosravianCIS 2015 Session Management at Scale - Scott Tomilson & Jamshid Khosravian
CIS 2015 Session Management at Scale - Scott Tomilson & Jamshid KhosravianCloudIDSummit
 
CIS 2015 So you want to SSO … Scott Tomilson & John Dasilva
CIS 2015 So you want to SSO … Scott Tomilson & John DasilvaCIS 2015 So you want to SSO … Scott Tomilson & John Dasilva
CIS 2015 So you want to SSO … Scott Tomilson & John DasilvaCloudIDSummit
 
CIS 2015 Identity Relationship Management in the Internet of Things
CIS 2015 Identity Relationship Management in the Internet of ThingsCIS 2015 Identity Relationship Management in the Internet of Things
CIS 2015 Identity Relationship Management in the Internet of ThingsCloudIDSummit
 

Plus de CloudIDSummit (20)

CIS 2016 Content Highlights
CIS 2016 Content HighlightsCIS 2016 Content Highlights
CIS 2016 Content Highlights
 
Top 6 Reasons You Should Attend Cloud Identity Summit 2016
Top 6 Reasons You Should Attend Cloud Identity Summit 2016Top 6 Reasons You Should Attend Cloud Identity Summit 2016
Top 6 Reasons You Should Attend Cloud Identity Summit 2016
 
CIS 2015 Security Without Borders: Taming the Cloud and Mobile Frontier - And...
CIS 2015 Security Without Borders: Taming the Cloud and Mobile Frontier - And...CIS 2015 Security Without Borders: Taming the Cloud and Mobile Frontier - And...
CIS 2015 Security Without Borders: Taming the Cloud and Mobile Frontier - And...
 
Mobile security, identity & authentication reasons for optimism 20150607 v2
Mobile security, identity & authentication reasons for optimism 20150607 v2Mobile security, identity & authentication reasons for optimism 20150607 v2
Mobile security, identity & authentication reasons for optimism 20150607 v2
 
CIS 2015 Mobile Security, Identity & Authentication: Reasons for Optimism - R...
CIS 2015 Mobile Security, Identity & Authentication: Reasons for Optimism - R...CIS 2015 Mobile Security, Identity & Authentication: Reasons for Optimism - R...
CIS 2015 Mobile Security, Identity & Authentication: Reasons for Optimism - R...
 
CIS 2015 Virtual Identity: The Vision, Challenges and Experiences in Driving ...
CIS 2015 Virtual Identity: The Vision, Challenges and Experiences in Driving ...CIS 2015 Virtual Identity: The Vision, Challenges and Experiences in Driving ...
CIS 2015 Virtual Identity: The Vision, Challenges and Experiences in Driving ...
 
CIS 2015 Deploying Strong Authentication to a Global Enterprise: A Comedy in ...
CIS 2015 Deploying Strong Authentication to a Global Enterprise: A Comedy in ...CIS 2015 Deploying Strong Authentication to a Global Enterprise: A Comedy in ...
CIS 2015 Deploying Strong Authentication to a Global Enterprise: A Comedy in ...
 
CIS 2015 Without Great Security, Digital Identity is Not Worth the Electrons ...
CIS 2015 Without Great Security, Digital Identity is Not Worth the Electrons ...CIS 2015 Without Great Security, Digital Identity is Not Worth the Electrons ...
CIS 2015 Without Great Security, Digital Identity is Not Worth the Electrons ...
 
CIS 2015 Mergers & Acquisitions in a Cloud Enabled World - Brian Puhl
CIS 2015 Mergers & Acquisitions in a Cloud Enabled World - Brian PuhlCIS 2015 Mergers & Acquisitions in a Cloud Enabled World - Brian Puhl
CIS 2015 Mergers & Acquisitions in a Cloud Enabled World - Brian Puhl
 
CIS 2015 IoT and IDM in your Mobile Enterprise - Brian Katz
CIS 2015 IoT and IDM in your Mobile Enterprise - Brian KatzCIS 2015 IoT and IDM in your Mobile Enterprise - Brian Katz
CIS 2015 IoT and IDM in your Mobile Enterprise - Brian Katz
 
CIS 2015 Practical Deployments Enterprise Cloud Access Management Platform - ...
CIS 2015 Practical Deployments Enterprise Cloud Access Management Platform - ...CIS 2015 Practical Deployments Enterprise Cloud Access Management Platform - ...
CIS 2015 Practical Deployments Enterprise Cloud Access Management Platform - ...
 
CIS 2015 What I Learned From Pitching IAM To My CIO - Steve Tout
CIS 2015 What I Learned From Pitching IAM To My CIO - Steve ToutCIS 2015 What I Learned From Pitching IAM To My CIO - Steve Tout
CIS 2015 What I Learned From Pitching IAM To My CIO - Steve Tout
 
CIS 2015 How to secure the Internet of Things? Hannes Tschofenig
CIS 2015 How to secure the Internet of Things? Hannes TschofenigCIS 2015 How to secure the Internet of Things? Hannes Tschofenig
CIS 2015 How to secure the Internet of Things? Hannes Tschofenig
 
CIS 2015 The IDaaS Dating Game - Sean Deuby
CIS 2015 The IDaaS Dating Game - Sean DeubyCIS 2015 The IDaaS Dating Game - Sean Deuby
CIS 2015 The IDaaS Dating Game - Sean Deuby
 
CIS 2015 SSO for Mobile and Web Apps Ashish Jain
CIS 2015 SSO for Mobile and Web Apps Ashish JainCIS 2015 SSO for Mobile and Web Apps Ashish Jain
CIS 2015 SSO for Mobile and Web Apps Ashish Jain
 
The Industrial Internet, the Identity of Everything and the Industrial Enterp...
The Industrial Internet, the Identity of Everything and the Industrial Enterp...The Industrial Internet, the Identity of Everything and the Industrial Enterp...
The Industrial Internet, the Identity of Everything and the Industrial Enterp...
 
CIS 2015 SAML-IN / SAML-OUT - Scott Tomilson & John Dasilva
CIS 2015 SAML-IN / SAML-OUT - Scott Tomilson & John DasilvaCIS 2015 SAML-IN / SAML-OUT - Scott Tomilson & John Dasilva
CIS 2015 SAML-IN / SAML-OUT - Scott Tomilson & John Dasilva
 
CIS 2015 Session Management at Scale - Scott Tomilson & Jamshid Khosravian
CIS 2015 Session Management at Scale - Scott Tomilson & Jamshid KhosravianCIS 2015 Session Management at Scale - Scott Tomilson & Jamshid Khosravian
CIS 2015 Session Management at Scale - Scott Tomilson & Jamshid Khosravian
 
CIS 2015 So you want to SSO … Scott Tomilson & John Dasilva
CIS 2015 So you want to SSO … Scott Tomilson & John DasilvaCIS 2015 So you want to SSO … Scott Tomilson & John Dasilva
CIS 2015 So you want to SSO … Scott Tomilson & John Dasilva
 
CIS 2015 Identity Relationship Management in the Internet of Things
CIS 2015 Identity Relationship Management in the Internet of ThingsCIS 2015 Identity Relationship Management in the Internet of Things
CIS 2015 Identity Relationship Management in the Internet of Things
 

Dernier

Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreternaman860154
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Scriptwesley chun
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Miguel Araújo
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEarley Information Science
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountPuma Security, LLC
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?Igalia
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024The Digital Insurer
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)wesley chun
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?Antenna Manufacturer Coco
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024The Digital Insurer
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Servicegiselly40
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxKatpro Technologies
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsMaria Levchenko
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Drew Madelung
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking MenDelhi Call girls
 

Dernier (20)

Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 

CIS13: Taking the Hyperspace Bypass: Controlling User Access to Other Worlds

  • 1. © 2010 VMware Inc. All rights reserved The Hitchhiker's Guide To Identity Taking the Hyperspace Bypass: Controlling User Access to Other Worlds Dale Olds, Sr. Staff Engineer, VMware Horizon Workspace Cloud Identity Summit, July 2013
  • 2. Agenda l Crossing boundaries with identity information l Single sign-on and federated authentication l Provisioning user information across borders l Delegated authorization for distributed applications l Standards and Vogon poetry
  • 4. The limits of embedded accounts and shared directory services It's a people problem l One account per application is killing us all – too many damn passwords l Initially easier for developers, but ultimately impossible for users as applications proliferate l Username and password is easy, change is hard. It's a management problem l Management domains (organizations) have different needs and control l Multiple apps can share a directory service such as Active Directory, but generally only within a management domain l The larger the management domain to more political and difficult to change – schema becomes concrete The solution is to enable the controlled transfer of identity information across management domains.
  • 5. Think Facebook Connect. In the last few years Facebook may have accomplished more to promote the common understanding of federated identity than all the major enterprise vendors have in the last 20. Users now think of accounts as independent from applications. I have an account at Facebook. I can use it at other places.
  • 6. Single Sign-on and Federated Authentication
  • 7. Federated authentication Authentication is the act of confirming the truth of an attribute of a datum or entity... often involves verifying the validity of at least one form of identification. (wikipedia) Let's try that again. For our purposes: Authentication is the act of determining who is making a request. For apps with embedded user accounts, often called login. Using Federated Authentication, an app trusts an identity provider to authenticate the user. The app gets the user's identity information from the provider, but is not involved in the act of authentication. The identity provider may be in another management domain. This is not like multiple apps sharing a directory service, where the apps authenticate users independently using common data. SAML and OpenID Connect are protocols for federated authentication
  • 8. Browser redirects New Documents Site Old Documents Site browser 1. Get me the Burning Man Survival Guide. 2. Document has moved, here is the new name and location. 3. Get me the new document. The vast majority of all federated authentication systems, including all versions of SAML, OpenID, and OAuth use browser redirects to separate the act of authentication from an app.
  • 9. Federated authentication – solved for web applications sparklr photo sharing appfacespace identity provider (idp) browser printr photo printing app editr photo editing app 1. Joe starts at sparklr but he's not logged in, gets redirected to idp.2. Joe logs in with method known only to idp. Idp saves session with Joe, redirects back to sparklr with signed token that this is Joe. 3. Sparklr trusts token from idp, sets up session with Joe and grants access. 4. When joe accesses printr or editr, they redirect him to the idp – which already has a session with Joe so he is immediately redirected back with a token. Single Sign-on!
  • 10. Advantages of federated authentication l Since an identity provider can authenticate users for many apps, there should be fewer (but more secure) authentication sources. l Identity providers can add better authentication methods with no change to connected applications l Major identity providers are already adding multifactor, continuous authentication – trending toward recognition. l Incentives are to let a few identity providers handle authentication, and web applications focus on features. l Consider the Gawker and LivingSocial crack. . If you connect to LivingSocial using Facebook Connect, your Facebook credentials were not compromised. Tim O’Shaughnessy, CEO of LivingSocial
  • 11. Federated authentication – solved for web applications? Unfortunately solutions are a primary cause of problems (and there are some problems with this solution)
  • 12. Federated authentication for web apps: downsides fake idp facespace identity provider (idp) browser printr photo printing app editr photo editing app Privacy concerns: the idp knows every site that joe accesses with this account. Other systems have been proposed, but involve significant changes and trust of the user's machine (see information cards, browserID). Phishing concerns: if sparklr is evil it could redirect to fake idp, which reads the real idps ui, presents it to the user and steals their credentials The problem with logout: what does it actually mean? Users are confused... if I logout of the app, I'm still logged in at the idp which gives me SSO with the app? If I log out of the idp, what should that mean for the apps? sparklr evil photo sharing app What about non-browser apps? I've heard that mobile apps may be important.
  • 13. Federated authentication – the future SAML, OpenID Connect (with OAuth2) useful now for many use cases. We've made great progress, but there are many unresolved issues. Technological evolution and cultural change must continue. Work on OpenID Connect extensions for federated authentication for mobile applications is underway (see the AZA workshop). Advances in continuous authentication and recognition make authentication more convenient and more secure. Preventing phishing will be a longer, multi-component issue. Help from browsers is important and users may need to learn new expectations when interacting with sites.
  • 15. Provisioning Old fashioned provisioning: just get the sysadmins to copy the identity information across boundaries! Common questions: l If we have effective provisioning, do we need federated authentication? l If we have federated authentication, do we need provisioning? Classic, push, apriori, static provisioning l pros: forward references, less change, supports deprovisioning l cons: proliferates copies of identity information, hard to update, authentication issues Just in time (JIT) provisioning l pros: only create accounts when needed, no provisioning protocol or APIs needed (side effect of authentication). l cons: no forward references, no deprovisioning Provisioning standards: LDAP, SPML, SCIM
  • 17. Federated authentication: protecting the front door Federated authentication controls how users gain access to an app. This is like controlling who can come into the front door of a store.
  • 18. But the loading dock is open... Modern apps aggregate information from other services, we need to control access to those services are well. Who's protecting the loading dock?
  • 19. A modern web or cloud app uses external services sparklr photo sharing app facespace identity provider (idp) browser photo printing service map data service Joe needs to delegate authorization such that sparklr can access the services on his behalf. Enter OAuth2 photo storage service distributed app
  • 20. But first, let's talk about what happens when selling a car
  • 21. Illustration: selling a car Bank Sam Joe, used car broker Me, selling a rusty 2000 nissan pathfinder 1. Sam tells Joe he'll take the pathfinder. Joe replies that he'll need a cashiers check for the purchase price. 2. Sam authenticates and gets a cashier's check. 3. Sam gives the check (signed by the bank) to joe. 4. Joe gives the check to me in exchange for the car. I don't really care who Joe and Sam are, the check authorizes the transaction and it's guaranteed by the bank.
  • 22. l issuing bank l check number l account and name l authorized amount l issued at date l expiration date l recipient l authorized signature Contents of a cashier's check
  • 23. authorization server (bank) resource owner (user) client application (joe broker) resource server (me with pathfinder) 1. user accesses application but is not authorized. Application redirects user to the authorization server with instructions of what authorization to request. 2. user authenticates and approves release of token containing proof of authorization. 3. user is redirected back to the client app which gets the token. 4. client app presents token to resource server to authorize access to the resource. Same transaction in OAuth2 terms
  • 24. l JWT is an IETF specification (pronounced 'jot') l Three parts: header, content, signature l While commonly used with OAuth2, OAuth2 does not require JWTs. l OpenID Connect does require JWTs for id_token Sample token content, with corresponding cashier's check fields: jwt meaning cashier's check JSON web token (JWT) – a check format for the web * commonly used, but not specified in JWT or Openid connect iss issuer issuing bank jti token ID check number sub subject account & name iat issued at issued at date exp expiration expiration date aud audience recipient azp OIDC authorized party *scope authorization authorized amount signatur e third part of the token authorized signature
  • 25. authorization server resource owner via user agent (browser) client application resource server 1. user accesses application but is not authorized. application redirects user to the authorization server to request authorization. 2. user authenticates and approves release of token containing proof of authorization. 3. user is redirected back to the client app with an access token in location fragment 4. client app presents access token to resource server to authorize access. client app can use access token until it expires. l access token is exposed to user's agent. l access token lifetime is longest interval user cannot revoke access. l client id, redirect urls must be registered – no secret l generally a less secure and less convenient grant – avoid if possible Implicit grant
  • 26. authorization server resource owner via user agent (browser) client application resource server 1. user accesses application but is not authorized. application redirects user to the authorization server to request authorization. 2. user authenticates and approves release of token containing proof of authorization. 3. user is redirected back to the client app with an authorization code. 5. client app presents access token to resource server to authorize access. client app can use refresh token to request new access token on expiration. 4. client redeems authorization code for access and refresh tokens. l access and refresh tokens aren't exposed to user's agent. l access token lifetime is longest interval user cannot revoke access. l refresh token lifetime is interval before user has to re-authenticate. l client id, secret, redirect urls must be registered Authorization code and refresh token grants
  • 27. authorization server resource owner via native app resource server 1. user accesses cloud controller but is not authorized. application gets username and password 2. app posts user credentials to authenticate user and autoapprove release of token containing proof of authorization, requests password grant. 3. returns to the app with an access token and a refresh token 4. app presents access token to resource server to authorize access. app can use access token until it expires, but can get a new access token with the refresh token l access and refresh tokens are exposed to the user's machine. l access token lifetime is longest interval user cannot revoke access. l limited to user name and password. Resource owner password grant from native app
  • 28. authorization server client application resource server 2. client app presents access token to resource server to authorize access. 1. client authenticates and gets an access token with all its registered authorizations. l access token cannot be revoked for it's lifetime. l client id, secret must be registered Client credentials grant
  • 30. Standards landscape: federated authentication While Craig's statement was entertaining, my team respectfully disagrees. We continue to implement SAML because our business is to support valid customer use cases. For us, SAML isn't dead, it's done. It's complete. We can safely implement it. OpenID Connect is very promising. It's not dead, but it's not done. l OpenID Connect has been baking for over 3 years l It is implementable, useful now and fairly stable. l Combines very well with OAuth2 (delegated authorization) and SCIM (provisioning) for a mostly complete identity system. “There is no future for SAML. No one is putting money into SAML development. NO ONE is writing new SAML code. SAML is dead.” Craig Burton, CIS 2012
  • 31. Standards landscape: provisioning and delegated authorization Provisioning l My bet is on the Simple Cloud Identity Management (SCIM 1.1) protocol produced by a group of interested individuals. l And my bet is on the IETF's System for Cross-domain Identity Management (SCIM 2.0) protocol. l SCIM 1.1 is implementable, stable, and combines well with OAuth2 l SCIM 2.0 is the first IETF spec and has been in development for just over a year. Delegated Authorization l OAuth2 rules and is becoming a family of specifications. l Personally, I like to use it with JWT – which is also becoming a family of specifications.